Security Researcher Exposes Google Weakness That Enabled Phone Number Harvesting Through Account Recovery Bypass

Google has resolved a critical security vulnerability that allowed attackers to systematically extract users' recovery phone numbers, creating pathways for account takeovers and privacy breaches. The flaw was identified by Singapore-based security researcher "brutecat," who demonstrated how the weakness could be exploited to compromise user accounts.

The Vulnerability Mechanics

The security issue centered on Google's account recovery infrastructure, specifically targeting an obsolete version of the username recovery portal that operated without JavaScript functionality. This deprecated form, accessible at "accounts.google[.]com/signin/usernamerecovery," was designed to verify whether recovery credentials (email addresses or phone numbers) were linked to particular user display names.

The critical weakness lay in the absence of robust anti-abuse mechanisms on this legacy interface. Unlike modern versions protected by CAPTCHA systems and rate limiting, this older form could be systematically queried without triggering security controls.

Attack Methodology

The exploitation process involved a multi-step approach that combined several Google services:

Phase 1: Display Name Extraction Attackers could obtain a target's full name by creating a Looker Studio document and attempting to transfer ownership to the victim's account. This process would inadvertently reveal the user's complete display name on the platform's homepage.

Phase 2: Partial Phone Number Discovery By initiating Google's standard password reset procedure for a target email address, attackers could view a masked version of the recovery phone number. This typically displayed most digits as asterisks while revealing the final two digits (example format: •• ••••••03).

Phase 3: Systematic Number Reconstruction Using the compromised username recovery endpoint, attackers could systematically test all possible combinations of the remaining digits. The researcher demonstrated that Singapore phone numbers could be fully recovered within 5 seconds, while U.S. numbers required approximately 20 minutes due to their longer format.

Potential Impact and Exploitation Scenarios

Once attackers obtained complete phone numbers, they could leverage this intelligence for more sophisticated attacks. The primary concern involved SIM-swapping operations, where criminals convince mobile carriers to transfer a victim's phone number to an attacker-controlled device. With control over the victim's phone number, attackers could reset passwords for any accounts using that number for two-factor authentication.

Google's Response and Remediation

Following the researcher's responsible disclosure on April 14, 2025, Google acknowledged the severity of the vulnerability and awarded a $5,000 bug bounty. The company addressed the issue by completely removing the vulnerable JavaScript-disabled username recovery form from their infrastructure as of June 6, 2025.

Researcher's Track Record

This discovery represents the latest in a series of significant security findings by brutecat. Earlier research included:

YouTube Channel Owner Email Exposure: A $10,000 vulnerability that combined flaws in the YouTube API with an outdated Pixel Recorder web API to reveal email addresses of channel owners.

YouTube Partner Program Data Leak: A $20,000 access control vulnerability in the "/get_creator_channels" endpoint that exposed email addresses and monetization details of YouTube Partner Program participants. This flaw affected over 3 million channels and could be exploited to de-anonymize content creators or conduct targeted phishing campaigns.

Security Implications

These discoveries highlight ongoing challenges in maintaining security across complex, interconnected platforms. The phone number harvesting vulnerability particularly demonstrates how legacy systems and deprecated interfaces can create unexpected attack vectors, even when modern security controls are properly implemented elsewhere in the infrastructure.

The researcher's work underscores the importance of comprehensive security audits that examine not just current systems, but also legacy components that may have been overlooked during security updates.